Statement on Proposal to Amend PCAOB Auditing Standards Related to a Company’s Noncompliance with Laws and Regulations and Other Related Amendments

Remarks as prepared for delivery

Good morning, everyone. I want to join Chair Williams in expressing my deep appreciation to the staff for their expertise and efforts in developing today’s proposal, including spending substantial time with me and my team throughout the process.

The auditor’s responsibility is to plan and perform procedures to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.¹ 

As with any transaction or event, a company’s noncompliance with laws or regulations or the existence of fraud (collectively, “noncompliance”) may have implications for recorded amounts and disclosures in the financial statements and for internal controls over financial reporting. It is therefore important our standards, in conjunction with the requirements of Section 10A of the Securities Exchange Act of 1934,² sufficiently and clearly address the auditor’s responsibilities with respect to noncompliance. 

As I will further explain, though, I am unable to support today’s proposal as I believe it unreasonably and at great cost expands the scope of the audit to incorporate extensive new compliance attestation procedures and will require legal acumen and expertise well beyond the auditor’s core competency.

Staff’s economic analysis highlights the significant harm fraud and other noncompliance has inflicted on companies, investors, employees, and others across society. The analysis also concludes today’s proposal is likely to significantly increase audit effort and costs across virtually all firms and audits (and thus on preparers and investors). What is less clear is whether certain of the increased requirements are appropriate for the auditor in the context of the auditor’s expertise and the objectives of a financial statement audit.

Many of today’s proposed enhancements are positive. For example, today’s proposal would strengthen requirements during risk assessment and throughout the audit to identify, assess and respond to risks of material financial statement misstatement associated with noncompliance.

The requirement for the auditor to plan and perform procedures to address risks of material misstatement from noncompliance regardless of whether the related law or regulation has a direct or indirect effect on the financial statements also makes sense relative to the auditor’s financial statement audit responsibilities.

However, this expanded scope raises concerns when coupled with the additional proposed requirement for auditors to “plan and perform procedures to identify whether there is information indicating noncompliance…”³

This wording suggests the auditor would be expected and held accountable to identify any and all information that might indicate instances of noncompliance of any law or regulation across the company’s entire operations, without regard to materiality. 

In my view, this is a significant scope expansion; and to meet this requirement, auditors would be required to embed compliance attestation procedures into the financial statement audit. This is well beyond both the scope of the financial statement audit and the auditor’s core competency; and will trigger the need—at great cost-- to significantly increase the use of lawyers and others as specialists on many, if not all PCAOB audit engagements on a recurring basis.   

The scope of the expanded auditor’s procedures cannot be underestimated. 

Companies of all sizes are subject to a vast array of laws and regulations with which they must comply, including federal, state, and local laws in each domestic and foreign jurisdiction in which they operate. These laws and regulations continually evolve, and cover a myriad of areas including corporate governance, securities, markets, trade, contracts, taxes, consumers, employment, health, safety, environmental, privacy, intellectual property, mergers, acquisitions, and foreign corrupt practices among others.

The applicability and significance of each law will change as the company’s business changes, and each law or regulation may have different effects on different business units or divisions.

While the proposal focuses the auditor on those “laws and regulations with which noncompliance could reasonably have a material effect on the financial statements,”⁴ the filtering threshold of “reasonably could” is not adequately explained in the proposal and is not addressed elsewhere in PCAOB standards.

For example, it is unclear whether auditors would make this likelihood assessment considering management compliance policies, programs, processes, and controls (i.e., on a residual risk basis) or on an inherent risk basis.

Lawyers will be required across the wide array of legal disciplines and specializations to assist the auditor in identifying the population of relevant laws and regulations, assess the “could reasonably” scoping filter, design and perform compliance attestation procedures to identify information that may indicate potential noncompliance and evaluate whether such noncompliance has or has likely occurred.

Other provisions of the proposal with which I have concern include:

• It is unclear whether the concept of reasonable assurance is applicable to the auditor’s identification of instances of noncompliance or information indicating noncompliance. Reasonable assurance, rather than absolute assurance, should apply.
• It seems that the proposal may be establishing a requirement beyond existing requirements in AS 2710: Other Information in Documents Containing Audited Financial Statements for auditors to validate whether management has appropriately disclosed information on noncompliance outside the audited financial statements.⁵
• It is questionable whether it would be useful or a distraction to the Audit Committee for the auditor to communicate information indicating potential noncompliance prior to the auditor’s evaluation of whether the noncompliance has likely occurred or of any financial statement impacts (vs. only reporting matters deemed likely to have occurred and/or to have material financial statement implications).

Stepping back, this project is one of 14 on our ambitious standard-setting agenda. Each of the projects is significant. As we proceed one-by-one, I am increasingly concerned we are establishing new auditor obligations and incrementally imposing new auditor responsibilities in ways that will significantly expand the scope and cost of audits, and fundamentally alter the role of auditors without a full and transparent vetting of the implications, including a comprehensive understanding of the overall cost-benefit ramifications. I also wonder whether we are further contributing to the expectations gap by imposing responsibilities on auditors not aligned with their core competencies or the fundamental purpose of a financial statement audit.

I hope commenters will consider and respond to the concerns I have raised, as well as provide additional perspectives to further inform my thinking and the full Board’s deliberations. In addition to investors and auditors, input from audit committees, corporate governance experts, preparers and academics would be particularly helpful.

I would like to recognize and thank all the staff from across the PCAOB’s Divisions and Offices who have contributed to today’s proposal, especially Barb Vanich, Jessica Watts, Lisa Calandriello, Kevin Lombardi, and Michael Shimansky in the Office of the Chief Auditor; Rebecca Mealey in the Division of Enforcement and Investigations; Mike Gurbutt, John Cook, Tian Liang, and Federico Garcia in the Office of Economic and Risk Analysis; and Connor Raso and Michael Ungar in the Office of the General Counsel.

I also thank Chair Williams and my other fellow Board Members and their staffs; Brent Simer, Katie Driscoll, and Lucia Carromba from my team; and the staff from the SEC’s Office of the Chief Accountant for their collaboration and sharing of perspectives on this project.